I have a working patch with tests and docs for #13978, which would add the ability to have inline JS and CSS in forms.Media. I feel that this ticket is a much better solution than, e.g., scattering the required inline media throughout your templates. However the issue was raised that this goes against the W3C's Content Security Policy. Per Julian's recommendation, I am bringing this here for consideration.
Ticket: https://code.djangoproject.com/ticket/13978 CSP is an opt-in policy and must be supported by both the web application and the browser to be effective. Django itself does not support CSP out of the box (though django-csp[0] exists to facilitate this) and a bit over half of browsers currently support it[1]. I'm not sure how (or if) that affects this discussion. Although the recommendation is to move all inline scripts and styles to external resources, the policy does include a mechanism to explicitly allow inline scripts and styles in the form of the "unsafe-inline" directive. This makes it pretty clear that you're losing a bit of CSP's protection by enabling this. Perhaps the docs could be updated with a warning for developers that want to take advantage of CSP? I appreciate any thoughts, comments, and feedback. Thanks, --Derek [0] https://github.com/mozilla/django-csp/ [1] http://caniuse.com/contentsecuritypolicy -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
